One of the most important reasons to properly manage Android devices within an organization is to protect corporate data.
Organizations can require any Android devices that employees use for work purposes to comply with company policies before gaining access to corporate data. After allowing access, organizations can still control the corporate data and remotely wipe it from the Android devices.
When an Android device is stolen or lost, an IT administrator can trigger a remote wipe to make sure that the corporate data doesn't get into the wrong hands. A remote wipe can also be useful in BYOD scenarios. For example, when an employee decides to leave the organization and should no longer have access to corporate data, IT can wipe any corporate data from the BYOD Android smartphone while leaving personal data intact.
Wipe options for managed Android devices
For IT admins that use mobile device management (MDM) to manage employee devices, there are two different options for wiping an Android device. Admins can choose to either wipe a device or wipe an account. These options are also referred to as a full wipe and a selective wipe, respectively. When managing devices in Microsoft Intune specifically, admins will see these options as a wipe and a retire. While the naming varies between platforms, the two methods each have consistent outcomes. The options achieve the following results:
- Wipe a device. Wipes all the user accounts, data and MDM policies and settings by resetting the Android device to its factory defaults and settings. This is also sometimes called a full wipe; in Microsoft Intune, this is simply called a Wipe.
- Wipe an account. Wipes the corporate user account, including the corporate data and settings, completely deleting the user's work profile from the Android device. This is also sometimes called a selective wipe; in Microsoft Intune, this is called a Retire.
Besides the different wipe options for Android devices, most MDM vendors also provide wipe options for managed apps on Android devices. In Microsoft Intune, there are managed apps that support multiple identities. If admins wipe the corporate data from those managed apps, the action will not affect any personal data in the same app. This method is especially useful for personal Android devices.
Wipe options for different Android management types
The availability of the different wipe options for Android devices depends on the MDM provider, as well as the management privileges on the device. With Android smartphones, users can have either profile owner permissions or device owner permissions on the device. Those permissions are mainly related to the ownership of the Android device and the type of management it is under.
On a personally owned Android device, the user must install the management app of the MDM provider and enroll the Android device. After enrollment, the management app creates a separate work profile on the Android device. That provides the organization with profile owner permissions within the work profile.
On corporate-owned Android devices, the device is enrolled into the MDM provider during the out-of-box experience. For most management types, this provides the organization with device owner permissions on the Android device. However, there is one exception: corporate-owned Android devices with Work Profile. In this case, the organization has profile owner permissions plus a bit more on the Android device. From a wipe perspective, the effect is the same as for all corporate-owned Android device management types.
The following management types are most common for Android devices:
- Work Profile. A separate profile for work and personal use.
- Fully managed. A fully managed Android device with a personal touch.
- Dedicated. A kiosk-style Android device.
Depending on the management type and ownership situation, there are different available wipe options (Figure 1).
How to perform a remote wipe of an Android device with Microsoft Intune
IT admins can perform a remote wipe of an Android device through the organization's MDM provider. For most MDM providers, the process is relatively easy to carry out. Using Microsoft Intune as this example, admins can remotely wipe an Android device by following these steps:
1. Open the Microsoft Endpoint Manager portal, sign in with an account with the required permissions and navigate to Devices > Android > Android devices.
The user performing the remote wipe or remote retire action in Microsoft Intune needs at least the Wipe and Retire permissions that are available within the Remote tasks category.
2. On the Android | Android devices page, select the specific Android device and click on Wipe or Retire, depending on the management type of the Android device (Figure 2).
3. On the confirmation dialog box, make sure to be familiar with the impact of the remote action before clicking to continue (Figure 3).
Additionally, most MDM vendors provide methods for further automating this process in specific situations. In Microsoft Intune, there is the option to automatically retire an Android device when it doesn't comply with company policies. When the device is not compliant, Microsoft Intune adds it to a list with noncompliant devices in the portal. IT administrators can go through that list and either retire a specific device on it or retire all the devices on it.